Score:0

Linux Networking - How to dynamically filter network packets within short time range

cl flag

I am trying to find a solution to dynamically filter network packets with strict timing constraints and based on a IP list on a Linux Operating System

I cannot install additional software of modify kernel or libraries to add modules to iptables for example

I have an equipment that receive too much network packet and I need to find a way to filter network packets dynamically with a 200ms cycle.

For example, let's say I have 3 IPs (192.168.0.1,192.168.0.2,192.168.0.3) I would need to dynamically change every 200ms the iptable configuration to block the 1st IP packets for the 1st 200ms cycle, then block the second IP packets for the 2nd 200ms cycle, so on and so forth

Would anyone know any efficient solution that take into accounts this stringent time constraint ? My first idea is to dynamically change the iptables configuration but I'm concerned about the performance and the timing,

Would anyone have performed the same kind of work or knows a solution already implemented and working ?

Thanks a lot for your help,

cn flag
What is the problem that this proposed solution is intended to solve? It seems pretty strange and likely to be an [XY problem](https://en.wikipedia.org/wiki/XY_problem). That said, I have never done what the question asks for in particular but with regard to dynamically changing addresses, I would say [`ipset`](https://ipset.netfilter.org/ipset.man.html) may be helpful rather than changing the iptables rules.
Aeternal avatar
cl flag
Thanks a lot for your comment ! I did not know ipset and will have a look to it This solution would be temporary and aims to "filter" network packets to reduce the load on the equipment cpu. It is presently receiving too much messages and some of them are not intended to this equipment. However I cannot perform any l7 filtering because I lack the proper binaries or iptables modules in the kernel
vidarlo avatar
ar flag
Sounds like you rather want to limit throughput?
Aeternal avatar
cl flag
After some thinking, I think as well that rate-limiter using iptables on a per-IP basis is the best and easiest solution to implement
asmath avatar
cn flag
correct you can simply use limit option in this case.(-m limit --limit count/minute --limit-burst ouny)
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.